<div dir="ltr"><div>Thanks for publishing this, Peter. I converted the file to a CSV, for those who wish to open it in Excel or something:</div><div><a href="https://s3.amazonaws.com/konklone-public/lv/ua-capabilities.csv.zip">https://s3.amazonaws.com/konklone-public/lv/ua-capabilities.csv.zip</a><br></div><div><br></div><div>The Python script I used to do the conversion is here:</div><a href="https://gist.github.com/konklone/d095fb7224716c9212e6">https://gist.github.com/konklone/d095fb7224716c9212e6</a><br><div><br></div><div>Also, people may find the IANA mapping of TLS extension values to names to be helpful:</div><div><a href="http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml">http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml</a><br></div><div><br></div><div>If it's helpful, I can look at adapting my script to break apart the flags/extensions field into their own cells for filtering per-flag/extension.</div><div><br></div><div>-- Eric</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 23, 2015 at 5:11 PM, Peter Bowen <span dir="ltr"><<a href="mailto:pzb@amzn.com" target="_blank">pzb@amzn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">In any discussion of setting policy, it is important to have data that can be used to understand possible impacts. A few months ago, I was able to work with the owners of some websites to help collect data on TLS capabilities of clients connecting to the website. This data was collected by having the site owners include a subresource in their site (e.g. image or javascript) that was loaded from a special server that logged TLS ClientHello messages as part of the access log. It also logged HTTP layer information such as the User-Agent header.<br>
<br>
The full data is described below, but one very notable result is that many connections were seen where the ClientHello did not match the browser capability. While it is hard to know exactly why, I assume it is because some application or appliance is proxying the TLS connection. For example, 39593 connections were observed where the user agent was listed as Chrome 45 on Windows 7 (or Server 2008 R2) but where no SHA-2 or AEAD algorithms were offered. On the other hand, only 0.55% of IE/Safari connections from NT 5 (XP) sent a handshake indicating a direct connection; the rest went via a TLS proxy that upgraded their TLS capabilities.<br>
<br>
The logs were processed to generate a summary of the client connections, including the User-Agent header value and a fingerprint of the ClientHello. The fingerprint contains several flags and then a list of TLS extensions included, in the order they appear in the ClientHello message. The possible flags are:<br>
sha2_mac: At least one offered cipher suite uses a SHA256 or SHA384 MAC<br>
aead: At least one offered cipher suite uses GCM or CCM or Poly1305<br>
des: At least one offered cipher suite uses single DES<br>
export: At least one offered cipher suite uses reduced strength cryptography that was considered export-grade long ago<br>
sha2_hashalg: The Signature Algorithms extension was sent and contained at least one of SHA-256, SHA-384, or SHA-512<br>
hello_v2: the ClientHello was in SSLv2 compatible format rather than SSLv3/TLS format<br>
“v” plus two numbers: the maximum supported protocol version (3.3 => TLS 1.2, 3.1 => TLS 1.0, 3.0 => SSLv3)<br>
<br>
The full data is available from <a href="https://s3-us-west-2.amazonaws.com/pzb-public-files/ua-capabilities.zip" rel="noreferrer" target="_blank">https://s3-us-west-2.amazonaws.com/pzb-public-files/ua-capabilities.zip</a> contains the results. The text file uses the tab character as a delimiter between the three fields and represents more than 210 million data points.<br>
<br>
I hope that anyone proposing changes to CA/Browser Forum Guidelines can share similar details to help everyone understand the impact of the proposals.<br>
<br>
Thanks,<br>
Peter<br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><a href="https://konklone.com" target="_blank">konklone.com</a> | <a href="https://twitter.com/konklone" target="_blank">@konklone</a><br></div></div></div></div></div></div></div>
</div>